Add profile for luarocks #4596
Add profile for luarocks #4596
Conversation
DO NOT MERGE! Please review. MERGE BLOCKER: firecfg does not create the necessary symlink in /usr/local/bin /usr/bin/luarocks however is a proper working binary. Another annoyance from this: Neovim has a package manager called packer, which pollutes $HOME with manifest-5-[1-4].zip and a pile of .rockspec and .src.rock files.
|
If anyone has an idea that would be great. I do also have a profile for neovim that depends on luarocks working properly. I noticed the same issue for vim: /usr/local/bin is not created for me. With |
|
Closed by accident! If you create the symbolic link manually, does it work as expected?
In other words, is this an issue with |
If you do not add luarocks to firecfg.config, firecfg will not create symlinks. |
Co-authored-by: rusty-snake <[email protected]>
Co-authored-by: rusty-snake <[email protected]>
Co-authored-by: rusty-snake <[email protected]>
noblacklist in allow-lua.inc must corresponds to blacklist section for lua in disable-interpreters.inc
Co-authored-by: rusty-snake <[email protected]>
* disable /run/user/userid * use well tested whitelist-usr-share-common.inc * use disable-X11.inc
* dont break various application sandboxes with noblacklist /usr/include/lua* Instead insert it manually for luarocks. * remove redundant `blacklist /usr/share/lua` from disable-interpreters.inc
|
@rusty-snake Can I rebase, squash and force-push with you as co-author and the following text or do you think more changes are needed? Add profile for luarocks
Co-authored-by: rusty-snake <[email protected]> |
| @@ -481,6 +481,7 @@ lowriter | |||
| # lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
| # lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
| # lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
| luarocks | |||
There was a problem hiding this comment.
Needs discussion: Do we want to firecfg build-systems/package-managers by default? (related: #4519)
There was a problem hiding this comment.
Status quo of the default profile is very undesirable, because luarocks search does not update the package list.
Both options are annoying to some degree:
- If sandboxed on default, luarocks may have too few privileges to invoke external compilers ie to compile luaformat
- If not sandboxed, evil lua programs/plugins in neovim may trivially invoke luarocks to do bad stuff.
| noblacklist /usr/share/lua | ||
| noblacklist /usr/share/lua* |
There was a problem hiding this comment.
I need to check why there was these two.
| # Disallow blocking access to Lua header files. | ||
| noblacklist /usr/include/lua* |
There was a problem hiding this comment.
When is /usr/include/lua… used? Current behaviour of allow-lua.inc is strange, allow /usr/include but not /usr/include/lua*.
Currently this is how we handle /usr/include:
$ grep /usr/include /etc/firejail/*
/etc/firejail/allow-lua.inc:noblacklist /usr/include
/etc/firejail/allow-nodejs.inc:noblacklist /usr/include/node
/etc/firejail/allow-python2.inc:noblacklist /usr/include/python2*
/etc/firejail/allow-python3.inc:noblacklist /usr/include/python3*
/etc/firejail/disable-devel.inc:blacklist /usr/include
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/lua*
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/node
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/python2*
/etc/firejail/disable-interpreters.inc:blacklist /usr/include/python3*
/etc/firejail/hashcat.profile:noblacklist /usr/include
| whitelist ${HOME}/.netrc | ||
| whitelist ${HOME}/.config/pkcs11 | ||
| whitelist ${HOME}/.wget-hsts | ||
| whitelist ${HOME}/.cache/luarocks | ||
| whitelist ${HOME}/luarocks/cmd/external | ||
| whitelist ${HOME}/.nix-profile/bin | ||
| whitelist ${HOME}/.luarocks | ||
| whitelist ${HOME}/.config/luarocks |
There was a problem hiding this comment.
Missing mkdir/mkfile for some of them.
| whitelist ${HOME}/luarocks/cmd/external | ||
| whitelist ${HOME}/.nix-profile/bin | ||
| whitelist ${HOME}/.luarocks | ||
| whitelist ${HOME}/.config/luarocks |
There was a problem hiding this comment.
Missing blacklist/noblacklist/read-only for some of them.
|
|
||
| whitelist ${HOME}/.netrc | ||
| whitelist ${HOME}/.config/pkcs11 | ||
| whitelist ${HOME}/.wget-hsts |
There was a problem hiding this comment.
Is this necessary?
edit: this line: whitelist ${HOME}/.wget-hsts
| whitelist ${HOME}/.netrc | ||
| whitelist ${HOME}/.config/pkcs11 | ||
| whitelist ${HOME}/.wget-hsts | ||
| whitelist ${HOME}/.cache/luarocks | ||
| whitelist ${HOME}/luarocks/cmd/external | ||
| whitelist ${HOME}/.nix-profile/bin | ||
| whitelist ${HOME}/.luarocks | ||
| whitelist ${HOME}/.config/luarocks |
There was a problem hiding this comment.
Needs discussion: Missing wc.
| whitelist ${HOME}/.netrc | ||
| whitelist ${HOME}/.config/pkcs11 | ||
| whitelist ${HOME}/.wget-hsts | ||
| whitelist ${HOME}/.cache/luarocks | ||
| whitelist ${HOME}/luarocks/cmd/external | ||
| whitelist ${HOME}/.nix-profile/bin | ||
| whitelist ${HOME}/.luarocks | ||
| whitelist ${HOME}/.config/luarocks |
There was a problem hiding this comment.
Needs discussion: Do we want to use whitelisting for package-managers/build-systems by default.
| whitelist ${HOME}/.config/pkcs11 | ||
| whitelist ${HOME}/.wget-hsts | ||
| whitelist ${HOME}/.cache/luarocks | ||
| whitelist ${HOME}/luarocks/cmd/external |
There was a problem hiding this comment.
Nothing else from ~/luarocks required?
There was a problem hiding this comment.
The answer to this question depends on "Needs discussion: Do we want to firecfg build-systems/package-managers by default? (related: #4519)".
To what degree does firejail want to allow invoking build systems or running stuff from a package manager (which sounds like bad security practice).
|
User experience: cd /home/user/dev/git/c/neovim/.deps && /home/user/dev/git/c/neovim/.deps/usr/bin/luarocks build nvim-client 0.2.3-1 CC=/usr/bin/cc LD=/usr/bin/cc
Error: Could not find a result named nvim-client 0.2.3-1: No results matching query were found for Lua 5.1.
To check if it is available for other Lua versions, use --check-lua-versions.
[user@pc .deps]$ cd /home/user/dev/git/c/neovim/.deps && /home/user/dev/git/c/neovim/.deps/usr/bin/luarocks install nvim-client 0.2.3-1 CC=/usr/bin/cc LD=/usr/bin/ccThere is a manifest.zip file written to $HOME, which contains this info. Also $HOME is cluttered with *src.rock and *.rockspec files. |
| @@ -481,6 +481,7 @@ lowriter | |||
| # lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
| # lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
| # lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) | |||
| luarocks | |||
There was a problem hiding this comment.
Status quo of the default profile is very undesirable, because luarocks search does not update the package list.
Both options are annoying to some degree:
- If sandboxed on default, luarocks may have too few privileges to invoke external compilers ie to compile luaformat
- If not sandboxed, evil lua programs/plugins in neovim may trivially invoke luarocks to do bad stuff.
| whitelist ${HOME}/.config/pkcs11 | ||
| whitelist ${HOME}/.wget-hsts | ||
| whitelist ${HOME}/.cache/luarocks | ||
| whitelist ${HOME}/luarocks/cmd/external |
There was a problem hiding this comment.
The answer to this question depends on "Needs discussion: Do we want to firecfg build-systems/package-managers by default? (related: #4519)".
To what degree does firejail want to allow invoking build systems or running stuff from a package manager (which sounds like bad security practice).
DO NOT MERGE! Please review.
MERGE BLOCKER: firecfg does not create the necessary symlink in
/usr/local/bin
/usr/bin/luarocks however is a proper working binary.
Another annoyance from this: Neovim has a package manager called packer,
which pollutes $HOME with manifest-5-[1-4].zip and a pile of .rockspec
and .src.rock files.